ModernPentestModernPentest

Vulnerability Detection

How ModernPentest finds and validates security vulnerabilities

Vulnerability Detection

Learn how ModernPentest's AI-powered detection engine finds real security vulnerabilities while maintaining a low false positive rate.

Detection Approach

ModernPentest combines multiple techniques to maximize detection accuracy:

Automated Scanning

Industry-standard security tools provide broad coverage across known vulnerability patterns and common attack vectors.

AI-Powered Testing

Context-aware testing with adaptive payloads that understand your application's behavior and technology stack.

Validation & Verification

Confirm exploitability and reduce false positives by validating each finding with proof-of-concept evidence.

What We Detect

Web Applications

Injection Vulnerabilities

  • SQL Injection (error-based, blind, time-based)
  • Cross-Site Scripting (reflected, stored, DOM-based)
  • Command Injection (OS commands)
  • Server-Side Template Injection (SSTI)
  • XML External Entity Injection (XXE)
  • NoSQL Injection

Access Control Issues

  • Insecure Direct Object References (IDOR)
  • Horizontal Privilege Escalation
  • Vertical Privilege Escalation
  • Forced Browsing
  • Missing Function-Level Access Control

Authentication Weaknesses

  • Weak Password Policies
  • Session Management Flaws
  • JWT Security Issues
  • Missing Multi-Factor Authentication
  • Credential Stuffing Vulnerabilities

Security Misconfigurations

  • Debug Modes Enabled
  • Default Credentials
  • Verbose Error Messages
  • Missing Security Headers
  • CORS Misconfigurations

APIs

OWASP API Top 10 Coverage

  • Broken Object Level Authorization (BOLA)
  • Broken Authentication
  • Excessive Data Exposure
  • Lack of Resources & Rate Limiting
  • Broken Function Level Authorization
  • Mass Assignment
  • Security Misconfiguration
  • Injection
  • Improper Asset Management
  • Insufficient Logging

Platform-Specific

Supabase

  • Row Level Security (RLS) gaps
  • Storage bucket misconfigurations
  • Edge function authentication bypass
  • Anonymous access issues

Firebase

  • Firestore security rule bypasses
  • Realtime Database permission issues
  • Cloud Storage rule misconfigurations
  • API key exposure

Detection Accuracy

We maintain less than 5% false positive rate through multiple validation layers:

1. Context Analysis

Before flagging a finding, we analyze:

  • Application context - Is this parameter actually vulnerable?
  • Framework behavior - Does the framework already protect against this?
  • Technology stack - Are there built-in mitigations?

2. Evidence Validation

Each finding requires proof:

  • Request/Response pairs - Actual HTTP traffic
  • Behavioral changes - Observable differences indicating vulnerability
  • Error indicators - Database errors, stack traces, timing differences

3. Exploitability Confirmation

For critical findings, we verify:

  • Can the vulnerability actually be exploited?
  • What's the real-world impact?
  • Is the proof of concept reliable?

4. AI-Powered Review

Our AI reviews findings for:

  • Common false positive patterns
  • Context-inappropriate alerts
  • Duplicate or related issues

Our less than 5% false positive rate means you spend time fixing real vulnerabilities, not investigating false alarms.

Severity & Priority

We use a multi-factor system to help you focus on what matters most.

Severity Levels

Each vulnerability is assigned a severity level by our scanning agents:

LevelDescriptionColor
CriticalImmediate exploitation risk with severe impactRed
HighSerious security impact, readily exploitableOrange
MediumModerate risk, may require specific conditionsAmber
LowMinor issues with limited impactGreen
InfoObservations and recommendationsGray

Priority Calculation

Priority determines remediation order, calculated from severity, exploitability, and remediation effort:

PriorityCriteriaAction
P1 (Critical)Critical severity, OR High + exploit availableFix immediately
P2 (High)High severity, OR Medium + trivial/low effortFix within days
P3 (Medium)Medium severity, OR Low + trivial effortFix within weeks
P4 (Low)Low or Info severityFix when convenient

Exploitability

We track whether a known exploit exists:

  • Exploit Available — Public exploit code exists, increasing priority
  • No Known Exploit — Theoretical vulnerability, standard priority

Remediation Effort

Estimated effort to fix, affecting priority calculation:

LevelDescription
TrivialQuick config change or one-line fix
LowSimple code change, under an hour
MediumModerate changes, a few hours
HighSignificant refactoring, a day or more
Very HighArchitectural changes required

Detection Configuration

Pentest Scope

Define what gets tested:

  • Include patterns - URLs to test
  • Exclude patterns - Skip certain paths

Continuous Improvement

Our detection capabilities improve continuously:

New Vulnerability Coverage

  • Weekly updates for new vulnerability types
  • CVE-based detection rules
  • Community-reported patterns

False Positive Reduction

  • Customer feedback integration
  • Model retraining
  • Pattern refinement

Performance Optimization

  • Faster pentest completion
  • More efficient payloads
  • Better resource utilization

Vulnerability Details

When you view a vulnerability, you'll see comprehensive information organized into tabs:

Overview

The header displays key information at a glance:

  • Severity badge — Color-coded risk level
  • Status badge — Current workflow state (Open, In Remediation, Fixed, etc.)
  • Priority badge — P1-P4 remediation priority
  • Endpoint — Affected URL with HTTP method
  • OWASP category — Classification reference
  • Detection count — How many times detected

The Business Impact card is always visible, highlighting real-world consequences.

Evidence & POC Tab

Proof that the vulnerability exists:

  • Description — What was found
  • Proof of Concept — Reproducible steps with copy button
  • Test Payloads — Inputs that triggered the vulnerability
  • Attack Scenarios — How an attacker could exploit this

Technical Tab

Deep technical details:

  • Request Details — Endpoint, method, vulnerable parameter
  • Classification — Vulnerability type, CWE ID (linked to MITRE), OWASP category
  • Detection Metadata — First detected, last detected, detection count, consecutive scans

Remediation Tab

How to fix the issue:

  • Immediate Action — Critical first steps (highlighted)
  • Remediation Steps — Numbered instructions
  • Code Examples — Fix patterns for your framework
  • References — External documentation links

Detections Tab

Historical tracking:

  • Detection History — Timeline of all instances
  • Status History — Transitions with timestamps and reasons

Triage Controls

The sidebar lets you manage each vulnerability:

  • Assignee — Team member responsible
  • Priority — Override calculated priority if needed
  • Status — Update workflow state
  • Due Date — Set remediation deadline

Next Steps

Last updated: December 8, 2025

API Testing

How ModernPentest tests REST APIs using OpenAPI specifications

AI Agents Overview

Learn how ModernPentest's specialized AI agents perform security testing

On this page

Vulnerability DetectionDetection ApproachAutomated ScanningAI-Powered TestingValidation & VerificationWhat We DetectWeb ApplicationsAPIsPlatform-SpecificDetection Accuracy1. Context Analysis2. Evidence Validation3. Exploitability Confirmation4. AI-Powered ReviewSeverity & PrioritySeverity LevelsPriority CalculationExploitabilityRemediation EffortDetection ConfigurationPentest ScopeContinuous ImprovementNew Vulnerability CoverageFalse Positive ReductionPerformance OptimizationVulnerability DetailsOverviewEvidence & POC TabTechnical TabRemediation TabDetections TabTriage ControlsNext Steps